On Пят, 24 мая 2024, Sam Morris via FreeIPA-users wrote:
On 24/05/2024 15:52, Alexander Bokovoy via FreeIPA-users wrote:
On Fri, 24 May 2024, Sam Morris via FreeIPA-users wrote:
On 24/05/2024 13:07, Sam Morris via FreeIPA-users wrote:
On non-IPA clients I'm using AllowUsers/AllowGroups to restrict
which local users are able to SSH into a system.
On IPA clients I am using HBAC to control the same for IPA
users. But what's the best way to control which local users can
SSH in to an IPA client?
Sorry, I forgot to add "... without disrupting access to the IPA
client for IPA users".
[...]
I don't understand why you cannot handle the access control through HBAC
rules. These days glibc supports group merging feature (since glibc
2.24, around 2016), so you can have a group in IPA and a group in
/etc/group, then include local user into that local group. With
appropriate configuration, SSSD will add local user into that IPA group
membership locally and thus you can use that IPA group in HBAC rules.
See https://sourceware.org/glibc/wiki/Proposals/GroupMerging and man
page for nsswitch.conf(5), 'merge' ACTION for 'group' database.>
Thanks for that, I haven't used group merging yet. But, hmm, I'm not
sure it will help here...
My goals are:
* Local user access to be controlled by group membership
* IPA user access to be controlled via IPA HBAC
* IPA user access to not be controlled by group membership
I don't know how you would get that working. What I suggest instead is
to have both local and IPA users access done via IPA HBAC. This is
possible to achieve without modifying any PAM or SSH daemon setup.
If I create a local group 'allow-ssh' and configure sshd with
'AllowGroups allow-ssh' then my IPA users can't SSH in any more,
because they aren't a member of the local group.
So I was thinking that the local group combined with "AllowGroups
ipausers allow-ssh" would work, but then we have the undesirably large
POSIX group that will cause performance in large domains.
If I understand group merging correctly, it lets me create a local
allow-ssh group with the same GID as an IPA POSIX allow-ssh group, and
then looking up the group's membership will return both local and IPA
users. But doesn't that mean all my users need to be in the IPA
allow-ssh POSIX group, which is no different to making ipausers into a
POSIX group?
Your IPA allow-ssh POSIX group will have no members in IPA.
Your local allow-ssh POSIX group will have local users that need to be
logged in on a specific host.
Your HBAC rule for allow-ssh would include IPA allow-ssh group. That is
enough -- the rest is done by SSSD on the specific system.
Try it. ;)
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
